All the vulnerabilities related to the version 3.3.1 of the package
vm2 before 3.6.11 vulnerable to sandbox escape
This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code.
Prototype Pollution in vm2
This affects the package vm2 before 3.9.4. Prototype Pollution attack vector can lead to sandbox escape and execution of arbitrary code on the host machine.
Sandbox bypass in vm2
The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.
vm2 vulnerable to Arbitrary Code Execution
The package vm2 before 3.9.10 is vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.
vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
This vulnerability was patched in the release of version 3.9.11 of vm2
None.
Github Issue - https://github.com/patriksimek/vm2/issues/467 The file that was patched - https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71 The commit with the patch - https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164
If you have any questions or comments about this advisory:
vm2 vulnerable to sandbox escape
vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors.
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
This vulnerability was patched in the release of version 3.9.15 of vm2.
None.
vm2 Sandbox Escape vulnerability
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass handleException() and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context.
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
This vulnerability was patched in the release of version 3.9.16 of vm2.
None.
Github Issue - https://github.com/patriksimek/vm2/issues/516 PoC - https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c
If you have any questions or comments about this advisory:
Thanks to Xion (SeungHyun Lee) of KAIST Hacking Lab for disclosing this vulnerability.
vm2 Sandbox Escape vulnerability
There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside handleException() which can be used to escape the sandbox and run arbitrary code in host context.
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
This vulnerability was patched in the release of version 3.9.17 of vm2.
None.
PoC - https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244
If you have any questions or comments about this advisory:
Thanks to Xion (SeungHyun Lee) of KAIST Hacking Lab for disclosing this vulnerability.
vm2 vulnerable to Inspect Manipulation
In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node inspect method and edit options for console.log.
A threat actor can edit options for console.log.
This vulnerability was patched in the release of version 3.9.18 of vm2.
After creating a vm make the inspect method readonly with vm.readonly(inspect).
PoC - https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550
If you have any questions or comments about this advisory:
Thanks to @arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc. for disclosing this vulnerability.
vm2 Sandbox Escape vulnerability
A sandbox escape vulnerability exists in vm2 for versions up to 3.9.17. It abuses an unexpected creation of a host object based on the specification of Proxy.
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
This vulnerability was patched in the release of version 3.9.18 of vm2.
None.
PoC - https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac
If you have any questions or comments about this advisory:
Thanks to @arkark (Takeshi Kaneko) of GMO Cybersecurity by Ierae, Inc. for disclosing this vulnerability.
vm2 Sandbox Escape vulnerability
In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code.
Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.
None.
None.
PoC - https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9
If you have any questions or comments about this advisory:
Thanks to Xion (SeungHyun Lee) of KAIST Hacking Lab for disclosing this vulnerability.
vm2 Sandbox Escape vulnerability
In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code.
Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.
None.
None.
PoC is to be disclosed on or after the 5th of September.
While this advisory might look similar to CVE-2023-37466, it is a completely different way of escaping the sandbox.
If you have any questions or comments about this advisory:
Thanks to Xion (SeungHyun Lee) of KAIST Hacking Lab for disclosing this vulnerability.
